Employer Obligations to Secure Employee Privacy Against Cyber Attacks

Major data theft has become a fact of life in the digital age. When an employer suffers a security breach and loses sensitive information about its employees, employees can face long-term problems with identity theft and violated privacy. But does a Nevada employer face legal liability to its affected employees when such a breach occurs? The law is unclear.

Employers are required to maintain the confidentiality of a wide range of employee information. For example, under federal and state law, health records must be scrupulously kept apart from other information, with access limited only to appropriate individuals. Employees are entitled to an expectation of privacy regarding other records as well. An employer shouldn’t leave documents with wage information lying around for anyone to look at.

These kinds of restrictions generally prohibit deliberate disclosures of information. In the context of a data breach, in which an outside actor unlawfully breaks into a company’s computer system and steals information, the employer has not deliberately disclosed anything. An employee whose information is stolen must rely on a different theory to recover compensation. One possibility is negligence.

An employer’s duty to protect employee information from theft

Cases addressing this question have thus far shown that proving negligence can be a challenge for employees affected by data breaches. Among other things, proving negligence requires a plaintiff to show that a defendant breached a legal duty of care, and as a consequence caused the plaintiff to suffer a compensable loss.

In Castillo v. Seagate Tech., LLC, 2016 U.S. Dist. LEXIS 187428 (N.D. Cal. 2016), employees sued an employer for negligence after the employer disclosed W-2 information to a third party that requested it using a malicious phishing scheme. The hackers used employee data to file fraudulent tax returns. Significantly, the court held that the employer owed its employees, together with their spouses and dependents, a legal duty to protect their personal information against foreseeable attempts to steal it. But the court went on to find that many of the employees in the case hadn’t shown that they’d suffered compensable damages as a consequence of the employer’s breach of duty. In short, even though the company owed its employees a duty to prevent theft of their personal information, the employees couldn’t sue for negligence without showing that the theft resulted in real costs.

It’s not clear whether a Nevada court would follow the logic of Castillo to impose a similar legal duty upon employers to protect employee records. Courts elsewhere have not imposed such an obligation under similar circumstances. For example, in Dittman v. UPMC, 154 A.3d 318 (Sup. Ct. Pa. 2017), a Pennsylvania court held that an employer had no legal duty to protect electronic records against an attack unless the likelihood of such an attack was well understood, for example because the employer had suffered a similar attack in the past.

Talk to an attorney if your information has been stolen

Talking to an attorney is an important step for employees who have had their personal information stolen from an employer’s systems. The attorneys at Greenman Goldberg Raby Martinez provide personalized, caring guidance to clients in the Las Vegas area. We are happy to explain your legal options for seeking compensation after an employer data breach. For a no-cost attorney consultation, call us today at 702-388-4476, or ask us to call you through our contact page.